Professional Documents
Culture Documents
Application of The Cause-Consequence Diagram Method To Static Systems
Application of The Cause-Consequence Diagram Method To Static Systems
Institutional Repository
Application of the
cause-consequence diagram
method to static systems
This item was submitted to Loughborough University's Institutional Repository
by the/an author.
Additional Information:
http://www.sciencedirect.com/science/journal/09518320.
Summary
In the last 30 years various mathematical models have been used to identify the effect
of component failures on the performance of a system. The most frequently used
technique for system reliability assessment is Fault Tree Analysis (FTA) and a large
proportion of its popularity can be attributed to the fact that it provides a very good
documentation of the way that the system failure logic was developed. Exact
quantification of the fault tree, however, can be problematic for very large systems and
in such situations approximations can be used. Alternatively an exact result can be
obtained via the conversion of the fault tree into a binary decision diagram. The binary
decision diagram, however, loses all failure logic documentation during the conversion
process.
This paper outlines the use of the Cause-Consequence Diagram method as a tool for
system risk and reliability analysis. As with the fault tree analysis method, the Cause-
Consequence Diagram documents the failure logic of the system. In addition to this
the Cause-Consequence Diagram produces the exact failure probability in a very
efficient calculation procedure. The Cause-Consequence Diagram technique has been
applied to a static system and shown to yield the same result as those produced by the
solution of the equivalent fault tree and binary decision diagram. On the basis of this,
general rules have been devised for the correct construction of the Cause-Consequence
Diagram given a static system. The use of the cause-consequence method in this
manner has significant implications in terms of efficiency of the reliability analysis and
can be shown to have benefits for static systems.
1
1. Introduction
Analysis of industrial systems is carried out to aid in the protection of facilities and to
help reduce the risk of adverse events such as loss of profit, injury or death by
reducing the frequency or consequences of such accidents. Since the early 1960's
various mathematical models have been used to perform reliability analysis in order to
predict the likelihood that a system will function given a demand. Each analysis model
has different features which make it more appropriate to some system types than
others and to achieve the most efficient analysis the simplest technique should be
utilised.
The most commonly employed technique used to assess the probability of failure of
industrial systems is the Fault Tree Analysis (FTA) method (1). For systems
containing independent failure events it has been shown that the FTA technique
produces a logical description of the failure process and can also yield, among other
things, the systems unreliability. It has been highlighted, however, that this technique
has limitations even when it is applied to systems containing independent failure
events. Qualitatively, if the fault tree is complex then finding the minimal cut sets can
be CPU intensive. In addition to this the exact top event probability, found via the
inclusion-exclusion formula, may also be computationally expensive if the system
contains even a moderate number of minimal cut sets. In the past this problem has
been solved by using approximations for the top event probability. These
approximations, however, can be inaccurate if the likelihood of component failure is
not small. The problem of inaccuracies due to approximation techniques has been
alleviated recently by the development of the Binary Decision Diagram (BDD)
approach (2).
BDDS are based on Bryant's trees (3) and obtain the exact top event probability
efficiently by expressing the system failure modes as disjoint paths. The calculation of
the top event probability is achieved by summing the probabilities of these disjoint
paths. This analysis procedure makes the BDD technique more efficient than the
traditional FTA technique. The BDD however cannot be constructed from the system
description and is developed from the fault tree representation of the system. During
the conversion process the BDD loses all the causality information that is represented
in the fault tree structure. In addition to this an inefficient ordering of the basic events
can result in an excessively large diagram, which can prove difficult to analyse reducing
the efficiency of the method.
A technique, however, has been developed that represents all system outcomes, given
an initial event, on a diagram which contains a full textual description of the systems
behaviour and produces an exact quantification of the system failure probability. The
technique is based on the Cause-Consequence Diagram method which was developed
at RISO laboratories in the 1970's to aid in the reliability analysis of nuclear power
plants in Scandinavian countries (4). The method involves the identification of the
potential modes of failure of individual components and then relates the causes to the
ultimate consequences for the system (5). The consequences evaluated include those
2
that represent system failure as well as those that represent other system behaviour.
As all consequence sequences are investigated the method can assist in identifying
system outcomes which may not have been envisaged at the design stage.
The Cause-Consequence Diagram is developed from some initiating event, i.e. an event
that starts a particular operational sequence or an event which activates certain safety
systems. The Cause-Consequence Diagram comprises two conventional reliability
analysis methods the FTA method and the Event Tree Analysis method. The Event
Tree method is used to identify the various paths that the system could take, following
the initiating event, depending on whether certain subsystems/components function
correctly or not. The fault tree method is used to describe the failure causes of the
subsystems considered in the event tree part of the diagram. This relationship is
shown in figure 1.
INITIATING EVENT
CONSEQUENCE PART:
CAUSE OF ACCIDENT- IDENTIFICATION OF
LIMITING SYSTEMS: SEQUENCE DEPENDING ON
FAULT TREE ANALYSIS ACCIDENT-LIMITING
SYSTEMS: EVENT TREE
ANALYSIS
3
SYMBOL FUNCTION
The Decision Box represents the
Component /System functionality of a component/system.
Functions Correctly
qi The NO box represents failure to
NO YES perform correctly, the probability of
Ft1 which is obtained via a fault tree or single
component failure probability qi
Fault Tree Arrow represents the number
Ft1 of the fault tree structure which
corresponds to the decision box
The initiator triangle represents the
initiating event for a sequence where λ
λ= indicates the rate of occurrence
Time delay 1 indicates that the time
starts from the time at which the delay
t = xhrs symbol is entered and continues up to
the end of the time interval in the delay
symbol
OR gate symbol: Used to simplify the
Cause-Consequence Diagram when more
than one decision box enters the same
decision box or consequence box
Consequence Box represents the
outcome event due to a particular
sequence of events.
Table 1 Cause-Consequence Diagram Symbols and Functions
The Cause-Consequence Diagram technique has been applied to a static system and
shown to yield the same results as those produced by the solution of the equivalent
fault tree. On the basis of this study general rules have been devised for the correct
construction of the Cause-Consequence Diagram given a static system. The use of the
cause-consequence method in this manner has significant implications in terms of
efficiency of the reliability analysis and can be shown to have benefits for static
systems. The algorithm for static system analysis is as follows:
If order of failure is irrelevant, which is the case in a static system, then the Cause-
Consequence Diagram can be initiated by considering any of the components in the
system. The analysis of the Cause-Consequence Diagram should yield identical results
regardless of the component or variable ordering, however the actual diagrams may
vary in size. The first step of the Cause-Consequence Diagram construction is
therefore deciding on the order in which component failure events are to be taken. To
4
ensure a logical development of the causes of the system failure mode it was decided
that the ordering should follow the temporal action of the system, for example the
systems activation for the function required.
The second stage involves the actual construction of the diagram. Starting from the
initiating component the functionality of each component or sub-system is
investigated and the consequences of these sequences determined. If the decision box
is governed by a sub-system then the probability of failure will be obtained via a fault
tree diagram.
Step 3 Reduction
If any decision boxes are deemed irrelevant, for example the boxes attached to the NO
and YES branches are identical and their outcomes and consequences are the same, then
these should be removed and the diagram reduced to a minimal form. Removal of these
boxes will in no way affect the end result. This is illustrated in figure 2 where failure
(F) occurs due to either of the two paths that terminate in the failure consequence. On
one path the component A works, on the other it fails proving that the state of
component A represented by the decision box is irrelevant.
Component A
Functions Correctly
NO YES
Component B Component B
Functions Correctly Functions Correctly
F W F W
When a redundant decision box is identified, reduction is achieved by removing the box
and entering the next decision/consequence box encountered in its place. Each decision
box is inspected and when no further redundancies exist the Cause-Consequence
Diagram is deemed minimal.
The probability of each consequence for a static system is determined by summing the
probability of each set of events which lead to this particular outcome. Each sequence
probability is obtained by simply multiplying the probabilities of the component
events represented by the branch, as illustrated by Nielsen (8). This is possible as
5
each sequence of events is mutually exclusive and the probability of component failure
events are assumed independent. The 4-step procedure can be represented in a
flowchart as shown in figure 3.
Deci de On Ordering
Due to Temporal
Action of the System
Construct Cause-
Consequence
Diagram by
considering
functionality of each
sub-system/
com ponent
Any Irrelevant
Decision ANALYSIS
No
Boxes?
Yes
Reduce Cause-
Consequence
Diagram by removal
of redundant boxes
TOP
G1 C
A B
The Cause-Consequence Diagram was constructed and analysed using the algorithm
developed.
6
Steps 1 and 2 Component Failure Event Ordering and Cause-Consequence
Diagram Construction
The ordering chosen was that of A, B, C and the Cause-Consequence Diagram was
constructed by inspecting the failures of those components in that order (Figure 5).
Step 3 Reduction
Boxes 3 and 4 are both irrelevant and were therefore removed. This process reduced
the Cause-Consequence Diagram, the final form being illustrated in figure 6, and as no
further redundancies existed the diagram was minimal.
Com ponent A 1
Functions Correctly F: System Failure
W: System Wo rks
qa NO YES
Component B 2 Compone nt B 3
Func tions Correctly Functions
qb
NO YES qb NO YES
1 2 3 4 5 6 7 8
F F F W F W F W
qa NO YES
qc NO YES
2 3
F W
7
Step 4 System Failure Quantification
The probability of system failure is equal to the sum of the probability of the 3
sequence paths that lead to the consequence 'F'. Therefore since the paths are
mutually exclusive:
The fault tree quantification, using the exact method, calculates the top event
probability to be identical to that obtained by the Cause-Consequence Diagram
approach. By studying the reduced form of the Cause-Consequence Diagram it can be
noted that it is equivalent to the Binary Decision Diagram (BDD) for the fault tree in
figure 4, with the variable ordering A<B<C (Figure 7). The top event probability can
also be obtained directly from the BDD by multiplying the probabilities down the
paths that lead to the terminal 1 node (9).
AB + C
A
1 0
B C
1 0 1 0
1 1 0
C
1 0
1 0
4. Repeated Events
8
is obtained by summation of the probability of all paths that lead to the outcome.
Summation of the probabilities of the mutually exclusive paths results in the
development of the reduced form which would be obtained from the fault tree
following Boolean reduction. An algorithm has been developed that can trace through a
Cause-Consequence diagram, identify and extract any repeated basic events in more
than one fault tree structure on the same sequence path. The procedural steps used in
the extraction algorithm are:
2) Each fault tree identified in a path undergoes a modularisation process (10) and the
independent subtrees identified are stored.
3) Each independent subtree for each fault tree diagram is compared to one another
and following the identification of any common subtrees or individual basic events
the Cause-Consequence Diagram is modified.
This procedure is repeated until all sequence paths have been inspected and no
repeated subtrees or basic events discovered.
5. Industrial Example
As an example the technique has been applied to the simple high pressure protection
system depicted in figure 8. The basic functions of the components present in the high
pressure protection system are shown in table 2. The function of the system is to
9
prevent the passage of a high-pressure surge. The high pressure originates from a
production well and the equipment to be protected are vessels located downstream on
the processing platform.
P1 P2 P3 P4 P5 P6
WELL
The first level of protection is the emergency shutdown (ESD) sub-system. This
comprises of 3 pressure sensors, for which 2 out of 3 must indicate a high pressure to
cause a trip. Three shutdown valves, a Master, a Wing and an ESD valve activate to
trip. If a high pressure surge is detected then the ESD system acts to close the Master
valve, the Wing valve and the ESD valve. To provide an additional level of protection
a second sub-system is included, the high-integrity protection sub-system (HIPS).
This sub-system also comprises of 3 pressure sensors, 2 to trip, and 2 isolation valves
labelled HIPS1 and HIPS2. The HIPS works in an identical manner to the ESD but has
independent pressure sensors. The pressure sensors for each sub-system feed
information into a common computer.
The Cause-Consequence Diagram was constructed following the rules given in section
2.
10
Component Function Failure Modes λ Mean Maintenance
Repair Test Interval
Time Time
Master Valve To stop high pressure Valve fails open: 1.14x10-5
surge passing through VM 36.0 4360
system
Wing Valve To stop high pressure Valve fails open: 1.14x10-5
surge passing through VW 36.0 4360
system
ESD Valve To stop high pressure Valve fails open: 5.44x10-6
surge passing through VE 36.0 4360
system
HIPS1 Valve To stop high pressure Valve fails open: 5.44x10-6
surge passing through VH1 36.0 4360
system
HIPS2 Valve To stop high pressure Valve fails open: 5.44x10-6
surge passing through VH2 36.0 4360
system
Solenoid To supply power to Fails Energized:
valves SM,SW,SE,SH1 5.0x10-6 36.0 4360
,SH2
Relay Contacts To supply power to Fails Closed R1- 0.23x10-6
solenoids (2 per R10 36.0 4360
solenoid)
Pressure Indicates the level of Fails to record
Sensors pressure to the actual pressure: 1.5x10-6 36.0 4360
computer P1-P6
Computer Reads information Fails to read or
sent from pressure act on 4360
sensors and acts to information: C 1x10-5 36.0
close appropriate
values
The ordering was based on the action of components which could perform the task
required by the system i.e. Master Valve, Wing Valve, ESD Valve, HIPS1 Valve,
HIPS2 Valve. The Cause-Consequence Diagram was constructed by considering the
functionality of each valve and their effect on the system . Following the removal of
all redundant decision boxes the minimal cause-consequence structure was created
(Figure 9). The fault trees developed for each decision box are illustrated in figure 10a
and 10b.
11
High Pressure
Surge
Master Valve
Shuts 1
Ft1
NO YES
Wing Valve SD
Shuts 2
Ft2
NO YES
ESD Valve SD
Shuts 3
Ft3
NO YES
HIPS1 Valve SD
Shuts 4
Ft4
NO YES
HIPS2 Valve SD
Shuts 5
Ft5 SD = Shutdown
NO YES HP = High Pressure Surge
SD
HP
12
Master Valve WingValve
Ft1 Fails Open Ft2 Fa ils Open
G1 G7
VM VW
SM SW
C 2 C 2
E SD Valve
P1 P3 Fails Open P1 P3
G13
P2 P2
Ft3
VE
Solenoid Power to
Energised Solenoid
G15
SE
C
2
P1 P3
P2
Figure 10a Fault Trees for Cause-Consequence Diagram for ESD sub-system
13
Ft4 HIPS1Valve Ft5 HIPS2 Valve
Fails Open Fails Open
G 19 G25
V H1 VH2
SH1 SH2
C 2 C 2
P4 P6 P4 P6
P5 P5
Figure 10b Fault Trees for Cause-Consequence Diagram for HIPS sub-system
From this new version of the Cause-Consequence Diagram for the HIPS system, all
sequence paths were investigated and modified accordingly using the rules outlined in
section 4.
n
Probability (High Pressure) = ∑ P(Path i)
i =1
14
Component failures on the safety system are unrevealed and tested and repaired on
scheduled maintenance. Their failure probabilities are given by equation (1).
θ
Qi = λ i τ + (1)
2
The system unavailability was calculated as 2.216x10-2. The figure is identical to that
produce by the FTA and BDD methods. This result does not reflect poorly on the
Cause-Consequence Diagram method, in comparison to the FTA method, it merely
emphasizes the fact that this particular system can be failed by a single component,
the computer. The remaining minimal cut sets are of order 4 or more and therefore
have little effect on the overall system unavailability. For a system that contained a
large number of small order minimal cut sets it can be stated that the Cause-
Consequence Diagram method would yield a more accurate result than that obtained
via FTA. The Cause-Consequence Diagram produced is of a similar form to that of the
BDD for the system, however the Cause-Consequence Diagram is more concise due to
extract of common submodules rather than extraction of each basic events present in
the submodule.
6. Conclusion
An algorithm has been developed that will produce the correct Cause-Consequence
Diagram and calculate the exact system failure probability for static systems with
binary success or failure responses to the trigger event. This is achieved without
having to construct the fault tree of the system and retains the documented failure logic
of the system.
15
7. References
16
High Pressure
Surge
Pressure Sensor
SD = Shutdown submod ule works 6
HP = High Pressure Surge
Ft6
NO YES
Master Valve
Shuts 7
HIPS1 Valve
Shuts 4 Ft7
NO YES
Ft4
NO YES
Wing Valve SD
Shuts 8
HIPS2 Valve SD
Shuts 5 Ft8
NO YES
Ft5
NO YES
ESD Valve SD
Shuts 9
SD
Ft9
HP NO YES
HIPS1 Valve SD
Shuts 10
Ft10
NO YES
HIPS2 Valve SD
Shuts 11
Ft11
NO YES
SD
HP
17
Ft6 Ft7 Ft8
Pressure
Master Valve W ing Valve
Transmi tters
Fails Fails
fail
VM VW
C C
Valve Solenoid
E nergised
R1 R2 R3 R4
Fails
VE
S olenoid Power to
Fails Solenoid
SE
R5 R6
18
High Pressure
Surge
HP
HP HIPS1 Valve Master Valve
Shuts 13 Shuts 16
Ft13 Ft16 NO YES
NO YES
Wing Valve SD
HIPS2 Valve SD
Shuts 14 Shuts 17
Ft14 Ft17 NO YES
NO YES
ESD Valve SD
SD Shuts 18
HP Ft18 NO YES
HIPS Pressure SD
sensor submodule
works 21
Ft21
NO YES
SD = Shutdown
HP = High Pressure Surge
HP HIPS1 Valve
Shuts 22
Ft22 NO YES
HIPS2 Valve SD
Shuts 23
Ft23 NO YES
HP SD
19
Figure 14 Fault Trees for figure 13
20